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ABSTRACT 



A preferred embodiment of the present invention includes a 
method and apparatus for allocating and using IP addresses 
in a network of client systems. More specifically, the present 
invention includes a router which monitors the assignments 
of IP addresses by a DHCP server. As each IP address is 
assigned, the router associates the assigned IP address with 
an trusted identifier which identifies the client system. 
Subsequently, if the router received a packet directed at the 
assigned IP address, the router forwards the packet to the 
client system having an trusted identifier associated with the 
destination address of the IP packet. Additionally, if the 
router receives a packet from a client system, it uses the 
trusted identifier of the client system to find IP addresses 
associated with the client system. If the source address of the 
IP packet is not included in the IP addresses associated with 
the client system, the packet is discarded. 

14 Claims, 6 Drawing Sheets 
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METHOD AND APPARATUS FOR 
ASSIGNMENT OF IP ADDRESSES 

RELATED APPLICATIONS 

The following co-pending patent applications, which 
were filed on Dec. 9, 1996, are related to the subject 
application and are herein incorporated by reference: 

1. Application Ser. No, 08/763,234, entitled "Method and 
Apparatus for Client-Sensitive Name Resolution Using 
DNS" of Swee Boon Lim, Sanjay R. Radia, and Thomas 
Wong. 

2. Application Ser. No. 08/762,393, entitled "Method and 
Apparatus for Access Control in a Distributed Multiserver 
Network Environment" of Thomas Wong, Sanjay R. 
Radia, Swee Boon Lim, Panagiotis Tsirigotis, and Rob 
Goedman, now U.S. Pat. No. 5,835,727. 

3. Application Ser. No. 08/762,402, entitled "Method and 
Apparatus for Dynamic Packet Filter Assignments" of 
Sanjay R. Radia, Swee Boon Lim, Panagiotis Tsirigotis, 
Thomas Wong, and Rob Goedman now U.S. Pat. No. 
5,840,233. 

4. Application Ser. No. 08/763,289, entitled "Load Balanc- 
ing and Failover of Network Services" of Swee Boon 
Lim, Ashish Singhai, and Sanjay R. Radia, now U.S. Pat. 
No. 5,938,732. 

5. Application Ser. No. 08/763,068, entitled "Secure DHCP 
Server" of Swee Boon Lim, Sanjay R. Radia, Thomas 
Wong, Panagiotis Tsirigotis, and Rob Goedman, now U.S. 
Pat. No. 5,884,212. 

6. Application Ser. No. 08/763,068, entitled "A Method to 
Activate Unregistered Systems in a Distributed Multiser- 
ver Network Environment" of Thomas Wong and Sanjay 
R. Radia. 

7. Application Ser. No. 08/762,953, entitled "A Method for 
Using DHCP to Override Learned IP Addresses in a 
Network" of Sanjay R. Radia, Thomas Wong, Swee Boon 
Lim, Panagiotis Tsirigotis, Rob Goedman, and Mike 
Patrick, now U.S. Pat. No. 5,922,049. 

8. Application Ser. No. 08/762,705, entitled "Dynamic 
Cache Preloading Across Loosely Coupled Administra- 
tive Domains" of Panagiotis Tsirigotis and Sanjay R. 
Radia. 

The following co-pending patent application is related to 
the subject application and is herein incorporated by refer- 
ence: 

9. U.S. application Ser. No. 08/673,951, filed Jul. 1, 1996, 
entitled "A Name Service for a Redundant Array of 
Internet Servers" of Swee Boon Lim. 

FIELD OF THE INVENTION 

The present invention relates generally to security in 
computer networks. More specifically, the present invention 
is a method and apparatus for assignment of IP addresses 
that discourages IP address forging. 

BACKGROUND OF THE INVENTION 

Recent years have witnessed an explosive growth in the 
use of computer networks. In fact, the use of computer 
networks to connect disparate computer systems around the 
world has become a routine and accepted fact. One result of 
the ever- in creasing use of computer networks is an ever- 
increasing need for security systems. 

Computer networks that use the Internet protocol are 
commonly referred to as "IP networks." Within IP networks, 
host systems and other objects are identified by thirty -two 
bit numbers, known as Internet Protocol Addresses (IP 
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addresses). IP addresses provide a simple mechanism for 
identifying the source and destination of messages sent 
within IP networks. Unfortunately, several methods exist 
that allow IP addresses to be falsified, or forged. By forging 

5 an IP address, a malicious user may usurp messages within 
the IP network, possibly gaining access to sensitive infor- 
mation. Forging IP address also allows malicious users to 
send bogus messages. These messages can easily have a 
negative impact on network security if a receiving system 

10 accepts them as genuine. In a general sense, the possibility 
that IP addresses may be forged forces systems within IP 
networks to assume that IP addresses are unreliable. 

The unreliability of IP addresses has also discouraged the 
development and use of programs known as "packet filters." 

15 More specifically, packet filters are programs that are posi- 
tioned at key points within an IP network, such as within 
network routers. Packet filters examine packets that cross 
these key points and discard those packets that appear to 
present a threat to network security. 

20 An example of packet filtering would be a company that 
uses a router to link its internal intranet with an external 
network, such as the Internet. In such a network, a packet 
filter positioned within the router could inspect the header of 
each received packet to determine the address of the system 

25 sending the packet. Clearly, in this case, packets that arrive 
from the Internet but that have source addresses that corre- 
spond to addresses of systems within the company intranet 
are suspect. A packet filter included in a router would, 
therefore, discard packets of this type. 

30 The preceding example of a packet filter works well 
because it assumes that the source address included in a IP 
packet may be forged. In fact, the example packet filter is 
designed to detect this type of forged source address. 
Unfortunately, the unreliability of IP addresses has, to some 

35 extent, discouraged a more generalized use of packet filter- 
ing systems. 

SUMMARY OF THE INVENTION 

A preferred embodiment of the present invention includes 

40 a method and apparatus for assignment of IP addresses that 
discourages IP address forging. More specifically, a pre- 
ferred environment for the present invention is a computer 
network that includes a series of client systems. Each client 
system is connected to a corresponding cable modem that is 

45 connected, in turn, to a router. An access network control 
server (ANCS) controls configuration of the router. A ser- 
vices management system (SMS) dynamically reconfigures 
the ANCS. The network includes one or more DHCP server 
systems that provide for allocation of IP addresses in accor- 

50 dance with the Dynamic Host Configuration Protocol 
(DHCP) defined in Internet RFC 1541. 

On power-on, each client system requests an IP address by 
broadcasting a DHCPDISCOVER message to the network 
using one of the cable modems. The router receives the 

55 DHCPDISCOVER message and forwards the DHCPDIS- 
COVER message to the DHCP servers within the network. 
Before forwarding the DHCPDISCOVER message, 
however, the router encodes a trusted identifier into the 
vendor-specific options field of the DHCPDISCOVER mes- 

60 sage. The trusted identifier is an unforgeable object that 
positively identifies the client system sending the DHCP- 
DISCOVER message. For a preferred embodiment of the 
present invention, the trusted identifier is the id of the cable 
modem from which the DHCPDISCOVER message was 

65 received. 

In response to the DHCPDISCOVER message, a DHC- 
PACK message is generated by one of the DHCP servers. 



05/26/2004, EAST version: 1.4.1 



6,0' 

The DHCPACK message includes an IP address for the 
client system and the trusted identifier originally encoded in 
the DHCPDISCOVER message by the router. The router 
listens for DHCPACK messages and when, one is received, 
examines the included IP address and trusted identifier. 
Using the trusted identifier and the IP address included in the 
DHCPACK message, the router "learns" the address of each 
client system requesting an IP address. In this way, the router 
forms an association between the IP address and the trusted 
identifier. An IP address associated with a trusted identifier 
is called a "learned" IP address. 

When the router receives a packet directed at a learned IP 
address, it forwards the packet to the modem that is asso- 
ciated with the learned IP address. This action prevents 
client systems from usurping IP addresses to gain illicit 
access to IP packets. Additionally, when the router receives 
a packet from a modem, it compares the source address 
included in the packet with the IP addresses that are asso- 
ciated with that modem. If the packet does not originate 
from an IP address that the router recognizes as being 
associated with the sending modem, the packet is discarded. 

In accordance with the purpose of the invention, as 
embodied and broadly described herein, the present inven- 
tion is a method for allocating and using IP addresses in a 
computer network that includes one or more client systems 
connected to a router, each client system having an associ- 
ated trusted identifier, with the router system being able to 
send IP packets to an individual client system using the 
trusted identifier associated with the client system, the 
method comprising the steps, performed by the router, of: 
detecting a request made by a client system for allocation of 
an IP address, encoding the trusted identifier associated with 
the client system in the request, detecting a response to the 
request from a DHCP server, the response including an IP 
address allocated to the client system, the response including 
a copy of the trusted identifier encoded in the request, 
associating the IP address included in the response with the 
client system trusted identifier included in the response, and 
forwarding the response to the client system using the 
trusted identifier included in the response. 

In further accordance with the purpose of the invention, as 
embodied and broadly described herein, the present inven- 
tion is a computer program product comprising: a computer 
usable medium having computer readable code embodied 
therein for allocating and using IP addresses in a computer 
network that includes one or more client systems, each client 
system having an associated trusted identifier, the computer 
program product comprising: first computer readable pro- 
gram code devices configured to cause a computer system to 
detect a request made by a client system for allocation of an 
IP address, second computer readable program code devices 
configured to cause the computer system to encode the 
trusted identifier associated with the trusted identifier in the 
request, and third computer readable program code devices 
configured to cause the computer system to detect a response 
to the request from a DHCP server, the response including 
an IP address allocated to the client system, the response 
including a copy of the trusted identifier encoded in the 
request, fourth computer readable program code devices 
configured to cause the computer system to associate the IP 
address included in the response with the client system 
trusted identifier included in the response, and fifth com- 
puter readable program code devices configured to cause the 
computer system to forward the response to the client 
system using the trusted identifier included in the response. 

Advantages of the invention will be set forth, in part, in 
the description that follows and, in part, will be understood 
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by those skilled in the art from the description or may be 
learned by practice of the invention. The advantages of the 
invention will be realized and attained by means of the 
elements and combinations particularly pointed out in the 
5 appended claims and equivalents, 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which are incorporated in 
and constitute a part of this specification, illustrate several 
embodiments of the invention and, together with the 
description, serve to explain the principles of the invention. 

FIG. 1 is a block diagram of a computer network shown 
as a representative environment for a preferred embodiment 
35 of the present invention. 

FIG. 2 is a block diagram of a router used by a preferred 
embodiment of the present invention. 

FIG. 3 is a block diagram of an access network control 
server (ANCS) as used by a preferred embodiment of the 
20 present invention. 

FIG. 4 is a block diagram of an services management 
system (SMS) as used by a preferred embodiment of the 
present invention. 
25 FIG. 5 is a block diagram of a DHCP message used in a 
preferred embodiment of the present invention. 

FIG. 6 is a flowchart showing the steps associated with a 
preferred embodiment of the IP address learning method of 
the present invention, 
30 FIG. 7 is a flowchart showing the steps, performed by the 
router, for a preferred embodiment of the IP address learning 
method of FIG. 6. 

FIG. 8 is a flowchart showing the steps, performed by the 
router, for a preferred embodiment of the packet forwarding 
35 method of the present invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

4Q Reference will now be made in detail to the preferred 
embodiments of the invention, examples of which are illus- 
trated in the accompanying drawings. Wherever possible, 
the same reference numbers will be used throughout the 
drawings to refer to the same or like parts. 

45 In FIG. 1, a computer network 100 is shown as a repre- 
sentative environment for the present invention. 
Structurally, computer network 100 includes a series of 
client systems 102, of which client systems 102a through 
102/ are representative. Each client system 102 may be 

50 selected from a range of differing devices including, but not 
limited to, the personal computers shown in FIG. 1. A cable 
modem 104 is connected to each client system 102. Each 
cable modem 104 is connected, in turn, to a cable router 106. 
The use of cable router 106 and cable modems 104 is also 

55 intended to be exemplary and it should be appreciated that 
other networking technologies and topologies are equally 
practical. It should also be appreciated that a number of 
different cable modems and cable routers are available from 
various manufactures. In particular, cable modem 104 can be 

60 a CyberSUFR cable modem and cable router 106 can be a 
CableMASTR cable router, both supplied by Motorola, Inc. 

Router 106 is shown in more detail in FIG. 2 to include 
a computer system 202 that, in turn, includes a processor, or 
processors 204, and a memory 206. An input device 208 and 

65 an output device 210 are connected to the computer system 
202 and represent a wide range of varying I/O devices such 
as disk drives, keyboards, modems, network adapters, print- 
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ers and displays. A disk drive 212, of any suitable disk drive BOOTREQUEST, or BOOTREPLY, respectively. Within a 

type, is shown connected to computer system 202. A router message, the yiaddr field 504 includes, for certain types of 

management process 214 is shown to be resident in memory DHCP messages 500, an IP address being passed from a 

206 of computer system 202. DHCP server 114 to a client system 102. The chadddr field 

Computer network 100 also includes a series of server 5 506 is used for the machine address of a client system 102 

systems 108, of which server systems 108a through 108c are (also known as a MAC address), 

representative. Each server system 108 is connected to cable preferred embodiment of the present inventton, router 

router 106. Generally, server systems 108 are intended to J°* •?•"» * addresses assigned by DHCP server system 

represent the broad range of server systems that may be J£ A P" fctred '^men of this method a shown _m 

found within computer networks. 10 FIG. 6 and generally designated 600. Method 600 includes 

_ ste P s performed by a client system 102, steps performed by 

Computer network 100 also includes an access network router 106 and steps performed by DH CP server 114. For 

control server (ANCS) 110 and a services management convenience, these steps are shown to be included in a client 

system (SMS) 112. Both ANCS 110 and SMS 112 are syst em context 602, a router context 604 and a DHCP server 

connected to cable router 106. ANCS 110 is shown in more context 606 respectively 

detail in FIG. 3 to include a computer system 302 that, in 15 Metho(J ^ ^ m ' ^ m ^ m 

turn, includes a processor or processors 304 and a memory § 6Q8 ^ iflitiated when a cliem stem m s Qn qt 

306. An input device 308 and an output device 310 are otherwise [niiM C0Qnects tQ ^ rou(er ^ M Qf 

connected to the computer system 302 and represent a wide ^ Qn the client ests an IP add £ ss b 

range of varying /O devices such as disk ^drives .keyboards, broadc asting a DCHPDISCOVER message through cable 

moderns neUvork adapters printers and displays. A disk modem 1Q4 tQ f0Uter 1Q6 Preferabl the DC HPDIS- 

dnve 312, of any suitable disk drive ^ type is shown con- C0V£R ffl fc oonstfUCtcd in accordance with message 

nected to computer system 302. An l ANCS process 314 ,s formal 500 wUh 5Q2 ^ {Q B00 TREQUEST, chaddr 

shown to be resident in memory 306 of computer system field 5Q6 ^ tQ ^ machine addfess of me ^ sys{Qm m 

25 and DCHPDISCOVER encoded in options field 508. In step 

SMS 112 is shown in more detail in FIG. 4 to include a 608, this DCHPDISCOVER message is sent by client sys- 

coraputer system 402 that, in tum, includes a processor, or tem 102 through modem 104 to router 106 for broadcast to 

processors 404, and a memory 406. An input device 408 and a ll DHCP server systems 114. 

an output device 410 are connected to the computer system In step 610> the DC HPDISCOVER message is received 

402 and represent a wide range of varying I/O devices such 3Q by the router 106 ^ router 106 recognizes mat the 

as disk dnves, keyboards, modems, network adapters, print- rece ived message is a DCHPDISCOVER message, 

ers and displays. A disk drive 412, of any suitable disk drive Accordingly, the router 106 encodes a trusted identifier into 

type, is shown connected to computer system 402. A SMS the vendor-specific information included in the options field 

filter management process 414 and filtering profile database 508 of the DCHPDISCOVER message. The trusted identi- 

416 are shown to be resident in memory 406 of computer 35 fier is an ^forge^e object that positively identifies the 

system 402. client system 102 me DHCPDISCOVER message. 

A DHCP server system 114 is also included in computer For a preferred embodiment of the present invention, the 

network 100 and connected to cable router 106. DHCP trusted identifier is the id of the cable modem 104 from 

server system 114 is a computer or other system that which the DHCPDISCOVER message was received. The id 

implements Dynamic Host Configuration Protocol (DHCP) 40 of the cable modem 104 is received by the router 106 when 

defined in Internet RFC 1541, which is incorporated herein the modem was initialized via message(s) passed between 

by reference. Functionally, DHCP server system 114 pro- the modem and the router at that time. In step 612, the router 

vides for allocation of IP addresses within network 100. 106 broadcasts the DCHPDISCOVER message, now includ- 

Although FIG. 1 shows only a single DHCP server system ing the trusted identifier, to all DHCP server systems 114. 

114, it is to be understood that additional DHCP server 45 i a ste p 614, the DCHPDISCOVER message is received 

systems 114 may be used without departing from the spirit f rom t he router 106 by DHCP server system 114. 

of the present invention. It should also be appreciated that Subsequently, in step 616, the DHCP server system 114 

the connections between the various components of FIG. 1 responds to the DCHPDISCOVER message by formulating 

are intended to represent logical connections. The actual a DHCPOFFER message. The DHCPOFFER message is 

physical topology used for these connections may vary from 50 preferably constructed using format 500 with op 502 set to 

what is pictured in FIG. 1. BOOTREPLY and DHCPOFFER encoded in the options 

A preferred format for DCHP messages sent between field 508. The chaddr field 506 and vendor-specific infor- 

client systems 102 and DHCP server system 114 is shown in mation included in the options field 508 of the DHCPOF- 

FIG. 5 and generally designated 500. Structurally, a DCHP FER message are copied from the DCHPDISCOVER mes- 

message includes an op field 502, a yiaddr field 504, a 55 sage. As a result, the trusted identifier is now included 

chadddr field 506 and an options field 508 (Examination of DHCPOFFER message. The DHCPOFFER message ispref- 

FIG. 5 shows that each message also includes a number of erably constructed using format 500 with op 502 set to 

other fields. For the sake of brevity, these fields will not be BOOTREPLY and DHCPOFFER encoded in the options 

discussed with particularity). Functionally, each DHCP mes- field 508. The chaddr field 506 and vendor-specific infor- 

sage has a type, such as DHCPDISCOVER, DHCPOFFER, 60 mation included in the options field 508 of the DHCPOF- 

DHCPREQUEST or DHCPACK. The type of each DHCP FER message are copied from the DCHPDISCOVER mes- 

message is encoded into the options field 508. The options sage. As a result, the trusted identifier is now included in the 

field is also used for a number of other purposes, including DHCPOFFER message. Additionally, the yiaddr field 504 is 

the encoding of vendor-specific information. Each DHCP set to an IP address that the DHCP server 114 has allocated 

message is marked to indicate whether it is being sent from 65 for the use of the client system 102. In step 616, this 

a client system 102 or a DHCP server system 114. This DHCPOFFER message is sent by the DHCP server 114 to 

marking is performed by setting op 502 to the router 106 
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In step 618, the router 106 receives the DHCPOFFER included in the yiaddr field 504 of the DHCPACK message 

message and forwards the message to the modem 104 for as the IP address of the client system 102. 

receipt by client system 102. Importantly, the message is For clarit me st p er f ormed by the router 106 for a 

forwarded exclusively to the modem identified by the trusted ferred embodiment of the IP address learning method are 

'? e "J :™™ d m the vendor - s P eahc °P tl0ns Held ot 5 shQwn as method ?00 of na ? _ More 

specifically, method 

the DHCPOFFER message. . . . - M - , \ • 

i * *->n nur>D^crcn • a u *u begins with step 702 where the router 106 receives a 

In step 620, the DHCPOFFER message is received by the T , *h\a *u • a a u 

r # ♦ mi n. r . * f M ; .i_ message. In step 704 the received message is examined, by 

client system 102. The client system 102 may accept the ° 1A , \ A t - f & . m,™rUe 

T^n^n^i?T7r?n „ % c nu^n^rrrn the router 106. to determine if the message is a DHCPDIS- 

DHCPOFFER message or wait for DHCPOFFER messages „_ ,.«(-. . 

t ~ ~*u ntTpTi 11,1 it *u f COVER message. In the affirmative case, execution of 

from other DHCP servers 114. For the purposes of in it _ , * , , , ' 4 . rtjr 

. ... „ , • nr ,. , 30 method 700 continues at step 706 where the router 106 

illustration, however, it is assumed in FIG. 6 that the client , , . , * c . * M 

system 102 accepts the first DHCPOFFER message enc ° des * e ° f the client ^ S I 

received. The client system 102 responds to the DHCPOF- th f e DHCPDISCOVER message into the vendor- 
FER message by constructing and sending a DHCPRE- 

QUEST meLge to the DHCP server 114. The DHCPOF- „ ™ SSagp ' ^ T ™ 

FER message £ constructed using format 500 with op 502 15 the DHCPDISOOVER message in step 708. 

set to BOOTREQUEST and DHCPREQUEST encoded in In the alternative case to step 704, (i.e., where the received 

the options field 508. The chaddr field 506 and vendor- message is not a DHCPDISCOVER message) execution of 

specific information included in the options field 508 of the method 700 continues at step 710. In step 710, the received 

DHCPREQUEST message are copied from the DHCPOF- message is examined to determine if it is a DHCPACK 

FER message. As a result, the trusted identifier is now message. In the affirmative case, execution of method 700 

included in the DHCPREQUEST message. In step 622, this continues at step 712 where the router 106 checks to see if 

DHCPREQUEST message is sent by the client system 102 the IP address allocated by the DHCP server has been 

to the router 106. previously associated with another trusted identifier. 

In step 624, the router 106 receives the DHCPREQUEST 25 In the positive case (i.e., where the IP address has been 

message and forwards the message to the DHCP server 114. previously associated with another trusted identifier) execu- 

In step 626, the DHCP server system 114 receives the lion of method continues at step 714. In step 714 the router 

DHCPREQUEST message. Subsequently, in step 628, the 106 removes the association between the allocated IP 

DHCP server system 114 responds to the DHCPREQUEST address and the other trusted identifier. This prevents a 

message by formulating a DHCPACK message. The DHC- 30 single IP address from being associated with multiple trusted 

PACK message is preferably constructed using format 500 identifiers. Execution of method 700 then continues at step 

with op 502 set to BOOTREPLY and DHCPACK encoded 718 where the router 106 associates the IP address included 

in the options field 508. The chaddr field 506 and vendor- in the y iaddr field 504 of the DHCPACK message with the 

specific information included in the options field 508 of the trusted identifier included in the vendor-specific information 

DHCPACK message are copied from the DHCPREQUEST 35 included in the options field 508 of the DHCPACK message, 

message. As a result, the trusted identifier is now included in As discussed previously, this association may be performed 

the DHCPACK message. Additionally, the yiaddr field 504 using any suitable data structure that allows for a two-way 

is, once again, set to the IP address that the DHCP server 114 association between trusted identifier and IP addresses, 

has allocated for the use of the client system 102. In step A preferred embodiment of the present invention also 

628, the DHCP server 114 sends the DHCPACK message to 40 includes a method using for selectively forwarding, by 

the router 106. router 106, of packets based on learned assignments of IP 

In step 630, the router 106 receives the DHCPACK addresses. A preferred embodiment of this method is shown 

message. The router 106 recognizes that the received mes- in FIG. 8 and generally designated 800. Method 800 begins 

sage is a DHCPACK message. Accordingly, the router 106 with step 802 where an IP packet is received by the router 

extracts the trusted identifier from the vendor-specific infor- 45 106. In step 804 that follows, the received IP packet is 

mation included in the options field 508 of the DHCPACK examined to determined if it is a "downstream packet." 

message. The router 106 also extracts the IP address alio- Generally, routers categorize packets into "upstream" and 

cated by the DHCP server 114 from the yiaddr field 504 of "downstream" packets. In the case of the network topology 

the DHCPACK message. The router 106 then forms an shown for network 100, upstream packets are packets that 

association between the extracted trusted identifier and the 50 originate at one of the client systems 102. Downstream 

extracted IP address. This association may be maintained in packets are packets that are directed at one of the client 

a list or other suitable data structure within memory 206 of systems 102. 

computer system 202. Preferably, the association formed If a downstream packet is detected in step 804, execution 

between the extracted trusted identifier and the extracted IP of method 800 continues at step 806 where the router 106 

address is two-way. Using the two-way association the 55 extracts the packet's destination address. Using this desti- 

router 106 can determine the IP addresses that are associated nation address, the router 106, in step 808 "looks up" the 

with a modem 104. The router 106 can also determine which trusted identifier of the client system 102 that is associated 

modem 104 is associated with an IP address. Effectively, by with the destination address of the received packet (this 

forming this association, the router 106 has learned the IP association is formed by the router 106 during execution of 

address allocated by the DHCP server 114. In step 632, the 60 method 600). In step 810, a test is performed to ascertain 

router 106 forwards the DHCPACK message to the modem whether a trusted identifier was actually located in step 808. 

104 for receipt by client system 102. Importantly, the If a trusted identifier was located in step 808, execution of 

message is forwarded exclusively to the modem identified method 800 continues at step 812 where the router 106 

by the trusted identifier embedded in the vendor-specific forwards the received packet to client system associated 

options field of the DHCPACK message. 6 5 with the trusted identifier. In the alternative, if no trusted 

In step 634, the client system 102 receives the DHCPACK identifier is associated with the destination address of the 

message. The client system 102 then uses the IP addresses packet, the router 106 discards the packet in step 814. 
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If a downstream packet is not detected in step 804 (i.e., 
when the packet is an upstream packet), execution of method 
800 continues at step 816, where the router 106 extracts the 
packet's source address. In step 818, the router 106 retrieves 
the trusted identifier of the client system 102 from which the 5 
IP packet was received. In step 820, the router 106 "looks 
up" the IP addresses that are associated with the trusted 
identifier retrieved in the previous step. For the purposes of 
the present invention, these IP addresses are the only IP 
addresses that are authorized to send packets using the 10 
modem 104 from which the packet was received. 

In step 822, the router 106 compares the source address of 
the received packet with the authorized IP addresses that 
were looked up in step 820. If the source address of the 
packet matches one of the authorized IP addresses, the router 
106 forwards the packet in step 824. Alternatively, if the 
source address of the received packet does not match one of 
the authorized IP addresses, the router 106 discards the 
packet in step 826. ^ 

It should be appreciated that the use in the preceding 
description of the use of cable modems 104 and a cable 
router 106 with regard to FIGS. 1 through 8 is intended to 
exemplary. In particular, it should be appreciated that the 
present invention is specifically intended to be used in 2 $ 
combination with a wide range of networking technologies 
and topologies. The present invention is particularly appli- 
cable to networks, like network 100, that provide for an id 
that is associated with each client system 102 and that allow 
packets to be sent exclusively to a particular client system 30 
102 using the id of the client system 102. 

Other embodiments will be apparent to those skilled in the 
art from consideration of the specification and practice of the 
invention disclosed herein. It is intended that the specifica- 
tion and examples be considered as exemplary only, with a 35 
true scope of the invention being indicated by the following 
claims and equivalents. 

What is claimed is: 

1. A method for allocating and using IP addresses in a 
computer network that includes one or more client systems 40 
connected to a router, each client system having an associ- 
ated trusted identifier, with the router system being able to 
send IP packets to an individual client system using the 
trusted identifier associated with the client system, the 
method comprising the steps, performed by the router, of: 45 

detecting a request made by a client system for allocation, 
of an IP address; 

encoding the trusted identifier associated with the client 
system in the request; 50 

detecting a response to the request from a Dynamic Host 
Configuration Protocol server, the response including 
an IP address allocated to the client system, the 
response including a copy of the trusted identifier 
encoded in the request; 55 

associating the IP address included in the response with 
the client system trusted identifier included in the 
response; and 

forwarding the response to the client system using the 6Q 
trusted identifier included in the response. 

2. A method as recited in claim 1 further comprising the 
steps, performed by the router, of: 

receiving an IP packet sent by one of the client systems; 
using the trusted identifier of the sending client system to 65 

retrieve IP addresses associated with the sending client 

system; 
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retrieving a source IP address from the IP packet; and 
conditionally discarding the IP packet if the source IP 

address is not included in the IP addresses associated 

with the sending client system. 

3. A method as recited in claim 1 further comprising the 
steps, performed by the router, of: 

receiving an IP packet being sent to one of the client 
systems; 

retrieving a destination IP address from the IP packet; 

using the destination IP address to retrieve the trusted 
identifier of the client system associated with the des- 
tination IP address; and 

forwarding the IP packet to the client system using the 
retrieved trusted identifier. 

4. A method as recited in claim 1 wherein the detected 
request made by a client system for allocation of an IP 
address is a DHCPDISCOVER message. 

5. A method as recited in claim 4 wherein the step of 
encoding the trusted identifier associated with the client 
system, is performed by encoding the trusted identifier in the 
vendor-specific information of the DHCPDISCOVER mes- 
sage. 

6. A method as recited in claim 1 wherein the detected 
response to the request from a Dynamic Host Configuration 
Protocol server is a DHCPACK message. 

7. A method as recited in claim 1 wherein the router 
included in the computer network is a cable router and 
wherein the network includes one or more cable modems 
with each client system being connected to the to the cable 
router using one such cable modem and wherein the trusted 
identifier associated with each client is the modem id of the 
cable modem to which the client system is connected. 

8. A computer program product comprising: 

a computer usable medium having computer readable 
code embodied therein for allocating and using IP 
addresses in a computer network that includes one or 
more client systems, each client system having an 
associated trusted identifier, the computer program 
product comprising: 

first computer readable program code devices config- 
ured to cause a computer system to detect a request 
made by a client system for allocation of an IP 
address; 

second computer readable program code devices con- 
figured to cause the computer system to encode the 
trusted identifier associated with the trusted identifier 
in the request; and 

third computer readable program code devices config- 
ured to cause the computer system to detect a 
response to the request from a Dynamic Host Con- 
figuration Protocol server, the response including an 
IP address allocated to the client system, the 
response including a copy of the trusted identifier 
encoded in the request; 

fourth computer readable program code devices con- 
figured to cause the computer system to associate the 
IP address included in the response with the client 
system trusted identifier included in the response; 
and 

fifth computer readable program code devices config- 
ured to cause the computer system to forward the 
response to the client system using the trusted iden- 
tifier included in the response. 

9. A computer program product as recited in claim 8 
which further comprises: 

sixth computer readable program code devices configured 
to cause the computer system to receive IP packets sent 
by the client systems, each IP packet including a source 
IP address; 
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seventh computer readable program code devices config- 
ured to cause the computer system to use the trusted 
identifier of each client system sending IP packets to 
retrieve IP addresses associated with each client system 
sending IP packets; and 5 

eighth computer readable program code devices config- 
ured to cause the computer system to conditionally 
discard an IP packet if the source IP address included 
in the IP packet is not included in the IP addresses 
associated with the client system sending the IP packet. 10 

10. A computer program product as recited in claim 8 
which further comprises: 

sixth computer readable program code devices configured 
to cause the computer system to receive IP packets sent 
to one of the client systems, each IP packet including a 15 
destination IP address; 

seventh computer readable program code devices config- 
ured to cause the computer system to use the destina- 
tion IP address of each received IP packet to retrieve the 2Q 
trusted identifier of the client system associated with 
the destination IP address; and 

eighth computer readable program code devices config- 
ured to cause the computer system to forward the 
received IP packet to the client system associated with 2 s 
the destination IP address, 

11. A computer program product as recited in claim 8 
wherein the detected request made by a client system for 
allocation of an IP address is a DHCPDISCOVER message. 

12. A computer program product as recited in claim 8 30 
wherein the trusted identifier associated with the client 
system is encoded in the vendor-specific information of the 
DHCPDISCOVER message. 

13. A computer program product as recited in claim 8 
wherein the detected response to the request from a 



Dynamic Host Configuration Protocol server is a DHC- 
PACK message. 

14. An apparatus for allocating and using IP addresses in 
a computer network that includes one or more client systems 
connected to a router, each client system having an associ- 
ated trusted identifier, with the router system being able to 
send IP packets to an individual client system using the 
trusted identifier associated with the client system, the 
method comprising the steps, performed by the router, of: 
a first portion configured to cause the router to detect the 
assignment of an IP addresses to a client system and to 
associated the IP address assigned to a client system 
with the trusted identifier of the client system; 
a second portion configured to cause the router to accept 
an IP packet directed at a client system, the accepted IP 
packet including a destination IP address, the second 
portion also configured to cause the router to use the 
destination IP address of the accepted IP packet to 
retrieve the trusted identifier of the client system asso- 
ciated with the destination IP address and to forward 
the accepted IP packet to the client system associated 
with the destination IP address; and 
a third portion configured to cause the router to accept an 
IP packet sent from a client system, the accepted IP 
packet including a source IP address, the third portion 
also configured to cause the router to use the trusted 
identifier of the sending client system to retrieve IP 
addresses associated with the sending client system and 
to conditionally discard the accepted IP packet if the 
source IP address included in the accepted IP packet is 
not included in the IP addresses associated with the 
sending client system. 
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